The Global State of Information Security 2003

From a worldwide study conducted by PricewaterhouseCoopers and CIO magazine, we look at where infosec is in 2003 and where it's going.

By Scott Berinato

Page 5

2. Consider extracting the information security function from the IT department.

Little Bangs Everywhere

Major security breaches are the exception, not the rule. Most security incidents lasted less than a day and cost less than $100,000. And most companies had 10 or fewer such events in the past year.

What the Numbers Mean

Terrorists can shut down the Internet or the power grid. A hacker can take down your whole company. Both plausible headlinesor lines from consultants trying to sell their servicesfrom the past year. But survey data shows that you're not dealing with the Great Chicago Fire. You're dealing with lots of little brush fires.

The question then becomes: Are the little hacks common because you haven't done a good job of protecting your enterprise? Are the big-bang incidents rare because you have? Or are you simply lucky enough to have avoided the big problems but not lucky enough to ward off the smaller incidents?

In any case, you're exposed to the smaller incidents. And Howard Schmidt, vice president and CISO of eBay (and former special adviser to the White House for cyberspace security), thinks the prevalence of little bangs everywhere does not suggest you've done a good job steeling yourself against major attacks. Instead, he sees a severe lack of discipline everywhere.

"If anything, the more you take care of the little stuff, the less likely someone will be able to pull off a big attack," says Schmidt. "I see it all the time. Companies are always pushing, 'Let's just open this one little port.' Then next thing you know they want another port, and another. And that leads to all these vulnerabilities, which turn into little brush fires. No one draws the line and says no. Instead of creating a culture of security, we're often creating a culture of getting around security."

The way technology is designedbased on open architecturesonly fosters that kind of shortcut culture.

One of the reasons the culture has centered around side-stepping security is because it's usually a pretty simple thing to do, to open a port, or to allow someone to receive attachments in e-mail. For this, there is no architectural cure.

But the encouraging message buried in Schmidt's commentary is that, to mitigate the problem, little if any additional technology, spending or other resources are really required. All that's required is some disciplinesomeone to draw the line and say no.To-Dos1. Refocus a security program so that it takes into account the smaller, more frequent threats as well as "the sky is falling" threats.